John Levine wrote: > I believe that it works to the extent that it covers immediate subdomains > of the domain for which you're publishing an SSP/ASP record. > > The question is whether that small amount of coverage is worth the > pushback we will certainly get from the IAB when they see the tree > crawling in our draft. If bad guys know that foo.cisco.com is covered, > why won't they just use foo.bar.cisco.com instead?
Put forward as an efficiency hack, to avoid having to make a number of one-level-down DNS records, the mechanism has no claim towards affecting security. Taken on its own, therefore, the question is whether the mechanism as a) worth the effort on a normal implementation cost vs. operational benefit basis, and b) worth the effort to run contrary to established DNS practice and, now, IAB preferences. Put forward as having any security characteristics, such as enforcing the ASP security model, this DNS hack is likely to have quite a bit of pushback, as you note. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
